Step 2 - Set Up the EasyRSA PKI Certificate Store

This step is usually a headache for those familiar with OpenVPN or any services utilizing PKI. Luckily, Docker and the scripts in the Docker image simplify this step by generating configuration files and all the necessary certificate files for us.

Create a volume container. This tutorial will use the $OVPN_DATA environmental variable to make it copy-paste friendly. Set this to anything you like. The default ovpn-data value is recommended for single OpenVPN Docker container servers. Setting the variable in the shell leverages string substitution to save the user from manually replacing it for each step in the tutorial:

OVPN_DATA="ovpn-data"

Create an empty docker volume with a busybox image:

docker run --name $OVPN_DATA -v /etc/openvpn busybox

We’ll now init the OVPN_DATA container that will hold all of our config and certificates.

Make sure you replace vpn.app.com with your intended FQDN, or use the IP if you are sure you won’t need to change it in the future. If you do need to change it, you would need to update every client file.

“Note, the security of the $OVPN_DATA container is important. It contains all the private keys to impersonate the server and all the client certificates. Keep this in mind and control access as appropriate. The default OpenVPN scripts use a passphrase for the CA key to increase security and prevent issuing bogus certificates.“

Step 4 - Generate Client Cerificates and Config

Make sure you replace clientname in the following commands with your actual client name. For example, I used vpn2-xyz just to prefix the config files so I knew which server I was connecting to in Tunnelblick.